Learning Center
Plans & pricing Sign in
Sign Out

A “Gen 2” RFID Monitor Based on the USRPImageMarked


									                A “Gen 2” RFID Monitor Based on the USRP

                                    Michael Buettner∗                      David Wetherall† ∗
                               ∗                                             †
                                   University of Washington                      Intel Labs Seattle

ABSTRACT                                                              goods [14, 13]. In 2008, the US Passport Card and the New
We have developed a low cost software radio based plat-               York and Washington state Enhanced Drivers Licenses were
form for monitoring EPC Gen 2 RFID traffic. The Gen                     introduced. They contain embedded Gen 2 RFID tags that
2 standard allows for a range of PHY layer configurations              can be read from up to 50 meters away [11]. The cards were
and does not specify exactly how to compose protocol mes-             ostensibly introduced to reduce delays at border crossings.
sages to inventory tags. This has made it difficult to know             New uses that stretch the initial vision of RFID are emerg-
how well the standard works, and how it is implemented                ing, as the capabilities of RFID devices advance to include
in practice. Our platform provides much needed visibility             computation, storage and sensing [16].
into Gen 2 systems by capturing reader transmissions using               Given this rapidly growing application space, understand-
the USRP2 and decoding them in real-time using software               ing how Gen 2 RFID operates in practice is of significant
we have developed and released to the public. In essence,             interest to improve current deployment practices, and to
our platform delivers much of the functionality of expensive          identify research challenges in RFID protocols and systems.
(> $50,000) conformance testing products, with greater ex-            The Gen 2 standard allows for great flexibility in terms of
tensibility at a small fraction of the cost. In this paper, we        both physical layer configuration and the sequence of reader
present the design and implementation of the platform and             commands that can be used to inventory tags. It is impor-
evaluate its effectiveness, showing that it has better than            tant to understand the impact and trade-offs of these imple-
99% accuracy up to 3 meters. We then use the platform                 mentation decisions. Unfortunately, gaining visibility into
to study a commercial RFID reader, showing how the Gen                RFID deployments is difficult because existing RFID read-
2 standard is realized, and indicate avenues for research at          ers are black box systems. They allow limited configuration
both the PHY and MAC layers.                                          and return high-level results that simply list tags in range
                                                                      of the reader. They do not expose low-level behavior such
                                                                      as PHY layer configuration, MAC protocol realization, or
Categories and Subject Descriptors                                    error rates and timing information. This makes diagnosing
C.2.2 [Computer-Communication Networks]: Network                      problems difficult, and gives researchers little insight into
Protocols                                                             the challenges faced by real-world RFID deployments.
                                                                         Because the fine-grained behavior of current systems is
General Terms                                                         poorly understood, existing analytical [9, 12] and simulation
                                                                      studies [6] of RFID are based on idealized versions of both
Experimentation, Measurement                                          the Gen 2 standard and RFID device performance. Though
                                                                      tools for detailed evaluation of RFID readers and tags exist,
Keywords                                                              they are expensive (>$50K) as they are built using high-end
RFID, EPC Gen 2, Software Defined Radio                                equipment such as vector signal analyzers and proprietary
                                                                      software [8, 1]. Additionally, they are targeted at confor-
                                                                      mance testing in a lab setting and are ill-suited to analyzing
1.   INTRODUCTION                                                     real-world deployments in situ. As a result, existing stud-
   Radio Frequency IDentification (RFID) is an emerging                ies of deployed systems have generally been coarse grained
wireless technology that allows small, inexpensive computer           and derive performance metrics from simple read rate [2, 7].
chips to be remotely powered and interrogated for identifiers          We aim to provide a tool whereby researchers can conduct
and other information. While there are many kinds of RFID,            low-level studies of deployed systems at a reasonable cost.
e.g., HF RFID in credit cards, recent advances in RFID have              In this paper, we present a Gen 2 RFID monitoring plat-
focused on passive UHF RFID as standardized by the EPC                form that provides deep visibility into the operation of RFID
Class-1 Generation-2 (Gen 2) specification in 2004 [4].                systems. To achieve this, we use the Universal Software
   Gen 2 RFID was originally developed as a replacement for           Radio Peripheral 2 (USRP2) to capture RFID signals and
barcode identification systems. It provides key advantages             software developed using GNU Radio to decode reader com-
such as read ranges of more than 10 meters, non-line-of-sight         mands. Commercial solutions are built upon signal ana-
operation, high inventory rates, and rewritable product IDs.          lyzers capable of GS/s sampling rates. However, the 25
It has seen widespread deployment for tracking pallets in             MS/s sampling rate of the USRP2 is sufficient for capturing
the supply chain and is rapidly expanding to new applica-             the complete 25 MHz RFID band with high fidelity. This
tions such as large scale, item-level tracking of consumer

ACM SIGCOMM Computer Communication Review                        42                                   Volume 40, Number 3, July 2010
makes our solution cheap and portable as it consists of only
a USRP2 and a laptop. By using the open source GNU Ra-
dio toolkit to process signals on the host, the software is free                                Backscatter Tag Response
and can be easily modified by researchers.

   Our monitoring system decodes all RFID reader transmis-
sions in the RFID band and outputs a message level trace
of reader behavior. These traces show the design decisions
                                                                                                                            Reader Message
made by vendors when realizing the Gen 2 protocol, and
illuminate real world dynamics such as error rates and pro-
tocol timing; such factors are critical for realistic analytical
and simulation studies. We expect that our platform will                                     10.5       11    11.5       12    12.5   13     13.5
be helpful for identifying bottlenecks in RFID systems and                                                           Time (ms)
thus avenues for further research; our previous, less capable
version has already proven useful in this capacity [3].                     Figure 1: Reader message and tag response
   We make three main contributions in this work. First, we
present the design and implementation of our system, show-
ing how a low-cost SDR platform and open-source software                                                          RN16         Tag ID
can be used to create a powerful Gen 2 RFID monitoring                                        Query                               QueryRepeat

tool. We show that our tool can decode reader commands
across the complete RFID band with better than 99% ac-
curacy at 3 meters. Second, we use our monitor to study
a commercial RFID reader and, to the best of our knowl-                                                               ACK
edge, present the first description of how the Gen 2 protocol
is realized in practice. As part of this study, we find that
algorithms for PHY layer rate adaptation and cross-layer                                 0
                                                                                                    5        10        15        20     25          30
techniques that factor the capture effect into MAC behavior                                                           Time (ms)
are rich areas for further research. Lastly, this paper can
be viewed as a companion document to our monitor system                   Figure 2: Message exchange for a Query round
software which can be downloaded from the Comprehen-
sive GNU Radio Archive.1 We hope that by demonstrating                  Passive RFID tags do not technically transmit any energy.
how our monitor can be used to explore existing systems,                Instead, they manipulate how well they reflect (backscat-
researchers will use our platform as a foundation for the               ter) the incident CW. This reflected signal, though weak, is
development of new tools for research.                                  received by the reader which decodes the modulated data.
                                                                        Uplink modulation is determined by two parameters speci-
2.     GEN 2 RFID BACKGROUND                                            fied by the reader; uplink frequency and data encoding. Gen
   In this section we introduce the Gen 2 PHY and MAC lay-              2 specifies four encodings schemes that differ in the number
ers to motivate the design of our monitoring system. Gen                of cycles per symbol (varying from one cycle to eight). For
2 tags are fully passive, which means they harvest the en-              a given link frequency, an encoding using more cycles will
tirety of the operating energy from nearby RFID readers.                have a lower data rate, but will be more robust to noise.
The specification was designed with two major constraints                   Figure 1 shows communication between a reader and tag
in mind. First, it must be implementable on very low cost               as captured by a USRP. The CW results in the DC offset
RFID tags (each costing a few cents) that are wirelessly pow-           of the received waveform, with the series of low amplitude
ered and computationally weak. Second, it must operate in               pulses being a reader transmission. The backscattered tag
a regime where readers can communicate with tags and vice               response can be clearly seen as a combination of the inci-
versa, but tags cannot communicate with each other or even              dent CW and the reflected CW from the tag. It should be
hear other tag transmissions.                                           noted that the signal seen in the figure was captured with
                                                                        the USRP antenna placed inches from the RFID tag. This
2.1 Gen 2 Physical Layer                                                accounts for the prevalent backscatter signal.
                                                                           To limit interference with other devices in the 902–928 MHz
  The Gen 2 physical layer has the dual purpose of maximiz-
                                                                        ISM band, FCC regulations stipulate that UHF RFID sys-
ing harvestable power at the tags, and facilitating downlink
                                                                        tems frequency hop across fifty 500 kHz channels, with dwell
and uplink communication. While a reader is communi-
                                                                        times no longer than 400 ms. However, because tags do not
cating with tags it must transmit a continuous RF wave
                                                                        “tune” to different channels, when multiple readers are ac-
(CW); tags power themselves by harvesting the energy in
                                                                        tive in an area their transmissions will collide at tags even
this RF signal. Down-link communication uses On/Off Key-
                                                                        if the readers are on different channels.
ing where bit boundaries are indicated by brief pulses of zero
amplitude in the CW, and Pulse Interval Encoding (PIE)
where the time between zero amplitude pulses differentiates
                                                                        2.2 Gen 2 MAC Layer
a zero or a one. Depending on PIE durations, downlink                      Gen 2 tags decode reader transmissions using a simple
rates range from 27 kbps to 128 kbps.                                   edge detector that detects the conspicuous zero amplitude
  Uplink data rates are between 5 kbps and 640 kbps, and                pulses in the CW. However, tags are unable to decode, or
communication is achieved via “backscatter” transmission.               even detect, the backscattered signals of other tags. This
                                                                        is in contrast to Ethernet or 802.11 where nodes can hear
1                                     each other, at least when they are not transmitting. Conse-

ACM SIGCOMM Computer Communication Review                          43                                                       Volume 40, Number 3, July 2010
quently, the Gen 2 MAC protocol is based on Framed Slotted
Aloha [15] which was designed to operate in a context where
transmitting nodes cannot hear each other.
   The general model of RFID is that readers are continu-
ously “inventorying”, i.e., looking for tags that are in range.
An inventory round begins with the reader transmitting a
Query command that indicates the number of slots in the
frame. The number of slots in a frame is a power of two in
the range [1, 32768]. After receiving a Query, tags randomly
choose a slot in which to reply, and transmit a 16-bit random
number (RN16 ) in that slot. If the reader receives an RN16
in a slot, it ACKs the RN16 and the tag that transmitted it
replies with its 96-bit identifier. Tags that collide in a slot
are not ACKed and respond again after the next Query.
   Figure 2 shows a message exchange with only one tag
present. In the example, the reader powers up and transmits
a Query message that specifies four slots in the frame. The
first slot immediately follows the Query command, and is
empty in this example. The second reader command is a
QueryRepeat which indicates the beginning of a new slot.                         Figure 3: Monitor system diagram
In this case, the tag had chosen the second slot and so it
transmits its RN16 in response to the QueryRepeat. It is               reader traffic is logged. The following subsections detail the
then ACKed by the reader, and transmits its ID. Because                salient features of these components.
the reader specified four slots in the Query, it sends two
additional QueryRepeats looking for any remaining tags. In             3.1 Capturing RFID Signals
this case, there is only a single tag so the last two slots
                                                                          The USRP2 is a more powerful version of the original
are empty. The reader then powers down. This example
                                                                       USRP, and has a complex sampling rate of up to 25 MS/s.
illustrates a very simple Gen 2 message exchange and does
                                                                       This is just sufficient for capturing the entire UHF RFID
not describe every message defined by the protocol. We will
                                                                       band. The USRP2 is combined with an RF front-end that
examine more complex scenarios when we look at how the
                                                                       downconverts signals from the 900 MHz ISM band to base-
complete MAC is implemented in a commercial reader.
                                                                       band, and an onboard FPGA samples this baseband signal
                                                                       and transmits it over GigE to the host PC.
3.   SYSTEM DESIGN AND EVALUATION                                         Though the USRP2 can sustain 25 MS/s over the GigE
   Our monitoring platform aims to provide much of the                 interface, GNU Radio cannot process a 25 MS/s signal using
functionality of commercially available RFID analysis tools,           currently available host machines without falling behind and
but with greater flexibility and at a fraction of the price.            dropping samples. For example, we were unable to simply
One key insight is that commercial RFID analytics solutions            write the signal to disk for offline processing, or convert the
are generally add-on modules to high-end signal analyzers              stream from complex I/Q data to amplitude data, without
capable of many gigasamples per second. This is far more               losing large swaths of data.
than is necessary to capture the 900 MHz ISM band.                        Without modifying the FPGA code of the USRP2, the
   By using lower end hardware and open source software,               sample rate over the GigE interface can only be reduced via
we give researchers a low cost tool for monitoring RFID                decimation. Decimation consists of an initial low-pass filter
traffic that can be completely modified by the user. While                followed by downsampling to reduce the sample rate. The
our monitoring system does not currently provide all the               low-pass filter is generally needed because simply downsam-
functionality of commercial systems, the hardware platform             pling a signal results in aliasing, where non-existent low fre-
can theoretically support a complete suite of analysis tools.          quency components are introduced into the signal because
This includes decoding tag transmissions and messages from             the Nyquist rate of the high frequency components is vio-
multiple, simultaneously transmitting readers. This would              lated. However, when decimating at the USRP, the low-pass
be useful for studying existing large scale deployments [19].          filter reduces the width of the frequency band and the host
By releasing our software to the community, we hope that               does not receive the complete RFID band.
researchers will continue to build upon our work.                         Because Gen 2 uses On/Off Keying, frequency aliasing
   The hardware platform we use is the Universal Software              does not effect demodulation. Hence, we reduce the sam-
Radio Peripheral 2 (USRP2) developed by Ettus Research.                ple rate while capturing the entire 25 MHz band by down-
Signal processing is performed on the host using software              sampling by a factor M at the host as the first step in the
developed using the GNU Radio framework. The overall                   processing graph. This allows us to tune the USRP2 to the
system architecture is shown in Figure 3. Our monitoring               center of the ISM band, and still capture traffic at the edges.
system is placed close to an RFID reader, and the USRP2                   In our implementation, M is tunable so users can reduce
captures the reader transmissions. The digitized signal is             the sample rate until their host can keep up with the signal
streamed to the host PC over GigE and processed using both             stream. The sample rate must remain high enough to accu-
stock and custom GNU Radio signal processing blocks. Our               rately represent the signal, with higher sample rates being
custom blocks are shaded in the diagram. The signal under-             more robust to noise. We find that a sample rate of 3 MS/s,
goes initial signal processing steps, reader transmissions are         which can easily be supported by most host computers, is
decoded by the Edge Detector and Bit Decoder blocks, and               sufficient to capture the highest rate reader transmissions.

ACM SIGCOMM Computer Communication Review                         44                                   Volume 40, Number 3, July 2010
    Time       Command          Bits      Length    Inter-
      (s)                                  (us)     Arrival                                                    Correct / Total
  20.294363     P-DWN           NA         NA        592                                                       ACKs / Tag Reads
  20.299102     QUERY        0x8D4064      955       3556                          1
  20.300731     QUERY        0x8D4250      955       748

  20.301414     QREP            0x0        222       540                         0.98
  20.309600      QREP           0x0        222       535
  20.311117      ACK         0x7EF84       872       746
  20.314011      QREP           0x0        224       2614
                                                                                     1    1.5   2       2.5        3   3.5        4
            Table 1: Reader message trace                                                           Distance (m)
                                                                                         Figure 4: Monitor accuracy
                                                                      the approximate duration of the ID backscattered by the tag
3.2 Decoding Reader Messages                                          by inspecting the Inter-Arrival value for the last QueryRe-
   Decoding reader transmissions is relatively straightfor-           peat(QREP) as this measures the time from the last edge of
ward. In essence, our monitor needs to solve the same de-             the reader ACK to the first edge of the QueryRepeat. This
coding challenge as RFID tags, using hardware costing a few           gives us a good estimate of the duration of tag transmis-
thousand dollars instead of a few cents. The signal is condi-         sions, as the periods between reader commands and tag re-
tioned for decoding by converting the complex I/Q samples             sponses (and between tag responses and reader commands)
to amplitude samples, and then passing the signal through             is constrained by the Gen 2 standard to within a few mi-
an averaging filter to smooth out noise. An example of the             croseconds.
resulting signal is shown in Figure 1.
   Decoding consists of two parts. First, the low amplitude           3.4 Evaluating Monitor Accuracy
pulses of reader transmissions are detected by finding neg-
                                                                         In this section we evaluate how accurately our monitor
atives edges in the signal. This is done by comparing each
                                                                      decodes reader messages. We require that it perform well
incoming sample against a running average of the signal am-
                                                                      out to at least a few meters, because it may not always be
plitude. Negative edges due to noise are ignored by only
                                                                      feasible to place our monitor directly beside the reader.
triggering on edges that drop below 90% of the average am-
                                                                         As we do not have “ground truth” data showing what mes-
plitude; we found this threshold to work well in practice.
                                                                      sages the reader actually transmitted, we use two heuristics
   The second part is determining the bits in the signal by
                                                                      to evaluate our monitor. First, we look at how often the
inspecting the duration between low amplitude pulses. Each
                                                                      monitor self-reports errors in decoded messages. Reader
reader message is preceded by a preamble which encodes,
                                                                      messages begin with a command code that identifies the
among other things, the duration of a “0” and a “1”, with
                                                                      Gen 2 command, and each command has a unique length.
a “1” being approximately twice as long as a “0”. 2 The
                                                                      When a reader transmission is detected by our monitor, the
monitor extracts this timing information from the preamble,
                                                                      subsequent message must match both of these features for a
and uses it to distinguish the subsequent bits in the message
                                                                      known Gen 2 messages, otherwise an error is logged. For the
body. End of message boundaries are detected when no
                                                                      second heuristic, we compare the number of ACKs detected
negative edge is seen for a duration greater than twice a “1”
                                                                      by the monitor with the number of tag reads reported by
bit period. The decoded bits are then logged.
                                                                      the reader, as there must be at least one ACK transmitted
3.3 Logging Message Traces                                            per tag read reported.
                                                                         For our experiment, we deployed one Impinj Speedway
   Decoded reader messages are timestamped and written to             RFID reader and our monitor, along with one Alien “Omni-
a trace file on the host. All bits and preamble timing data            Squiggle” RFID tag. Both the monitor antenna and the
are logged. This allows us to determine details such as the
                                                                      RFID tag were placed approximately one meter from the
PHY layer parameters, the number of slots specified by the             transmitting antenna of the reader. The reader invento-
Query command, and the RN16 sent in the ACK command.                  ried the tag continuously for one minute while the monitor
If the decoded bits do not match a valid Gen 2 command, a             gathered trace data. The reader initially transmitted at 30
decoding error is noted in the trace.                                 dBm, the maximum allowed by the FCC. After each one
   The duration of each message is noted, beginning with
                                                                      minute run the transmit power of the reader was reduced.
the first negative edge and ending with the last, as is the
                                                                      This approach keeps the multipath environment stable be-
interarrival time. These values are calculated based on the           tween experiments. We present results in terms of equivalent
number of samples between these points and the time per               distance using free-space propagation, as we find this more
sample. This results in a complete trace of all reader traffic          intuitive than results in terms of transmit power.
in the RFID band, with microsecond resolution.                           Figure 4 shows the results when the reader was configured
   Table 1 shows a section of a trace file. In the interest of
                                                                      with a 27 kbps downlink. We experimented with other con-
space, PHY layer parameters gleaned from message pream-
                                                                      figurations, and found similar results. The data consists of
bles have been elided. Both Length and Inter-Arrival are              over 50,000 logged events at each distance. The solid line
shown in microseconds. Inter-arrival timing is useful for fill-        shows the ratio of error-free messages to the total number of
ing in blanks in the trace. For example, we can determine             messages detected, with the y-axis spanning approximately
  For more details, we direct interested readers to the Gen 2         94%–100%. Out to three meters, more than 99% of detected
standard [4].                                                         messages were decoded without errors.

ACM SIGCOMM Computer Communication Review                        45                                       Volume 40, Number 3, July 2010
   The figure also shows the ratio of ACKs decoded com-               formance. We also proposed a technique where readers dy-
pared to the number of tag reads reported by the RFID                namically adapt their PHY layer configuration to increase
reader. By this metric also, our monitor is approximately            performance. The Impinj reader provides something very
99% accurate at three meters. One thing to notice is that            similar with their “AutoSet” mode, and using our monitor
this ratio can be slightly greater than 1. This is because           we can determine how their approach is implemented.
when a tag ID is received with bit errors, the reader must              To determine how “AutoSet” mode adapts to varying con-
retransmit the ACK. However, the read rate was constant              ditions, we had the reader continuously read one tag as
from 1 to 4 meters and we found that bit-errors did not              equivalent distance increased from one to six meters, and
appreciably increase; our monitor just becomes less able to          reader messages were logged using our monitor. According
decode the ACKs. Overall, our monitor has an accuracy well           to the Gen 2 protocol, if bit errors are detected in the tag
above 90% to approximately 4 meters, which is sufficient for           ID, the reader must send a NAK message to tell the tag to
the intended deployment scenarios.                                   retransmit. Consequently, NAK messages are a good proxy
                                                                     for uplink error-rate, though bit errors in the RN16 and
4.   EXPLORING THE STATE OF THE ART                                  messages below the noise floor are not detected. We found
                                                                     that the incidence of ACKs immediately followed by a NAK
   In this section, we use our monitor to closely examine
                                                                     increased with distance from less than 1% at one meter to
the behavior of a commercial reader at the message level.
                                                                     more than 75% at six meters. Thus, the reader would be
It has been difficult to know how Gen 2 is implemented
                                                                     expected to adapt to the changing link quality.
in commercial systems as many implementation details are
                                                                        Examining the details of the Query messages, we found
left to the vendor. For example, choices at the physical
                                                                     that only three distinct PHY configurations were used. All
layer can result in downlink rates that vary by more than
                                                                     three used a 35 kHz downlink with the uplinks being 320
a factor of four, and uplink rates can vary by more than
                                                                     kbps/FM0, 68 kbps/Miller-4, and 20 kbps/Miller-8. When
two orders of magnitude. At the MAC layer, the precise
                                                                     no tags are present, the 68 kbps uplink is used. When a tag
sequence of commands used to inventory tags is not specified
                                                                     is placed close to the reader, the reader generally operates
by the standard, and it is unclear how real systems choose
                                                                     using the 68 kbps configuration, but just before the reader
frame sizes to efficiently read a given tag population. These
                                                                     powers down it transmits one last Query using the 20 kbps
implementation choices made by vendors are key to reader
                                                                     configuration; ostensibly to “pick up” any remaining tags
performance, and the design trade-offs of these choices are
                                                                     with weak uplinks.
poorly understood.
                                                                        One surprising find was that the 320 kbps uplink is only
4.1 Experimental Setup                                               used when the tag is far from the reader and the error rate
                                                                     is very high. In this case, the reader begins most rounds
  The data presented in this section was gathered using an
                                                                     using the 320 kbps configuration, but continues to end each
Impinj Speedway reader, our monitoring system, and up to
                                                                     round with the more robust 20 kbps rate. We do not entirely
64 Alien “Omni-Squiggle” RFID tags depending on the ex-
                                                                     understand this behavior, particularly because at 6 meters
periment. The monitoring system consisted of a USRP2 and
                                                                     97% of the IDs sent at 320 kbps had errors, whereas only
a Lenovo T61 laptop running 64-bit Linux. The antenna for
                                                                     19% had errors when sent at 20 kbps. Even considering the
our monitor was placed inches from the reader antenna to
                                                                     faster uplink, the protocol overhead associated with errors
generate the most accurate trace possible. The traces were
                                                                     would seem to make this strategy far from optimal.
seen to have an error rate no greater than 1%. This er-
                                                                        We expect that we did not capture all the behavior of the
ror rate was calculated as described in the previous section.
                                                                     “AutoSet” mode with our simple experiment. However, our
Unless otherwise specified, tags were placed on a sheet of
                                                                     findings suggest that there is potential for the further devel-
poster board located one meter from the reader. The trans-
                                                                     opment of dynamic PHY layer algorithms. Our monitor can
mit power of the reader was varied and equivalent distance
                                                                     be used to build realistic error models for readers in their
calculated based on free-space propagation.
                                                                     deployed scenarios, and these can be used to inform analyt-
4.2 Physical Layer Rate Adaptation                                   ical and simulation studies of such algorithms.
   The Gen 2 specification allows for a wide range of PHY
layer configurations. Manufacturers are free to choose down-
link rates from 27 kbps to 128 kbps and uplink rates from
5 kbps to 640 kbps. There are four uplink encodings (FM0,            4.3 MAC Layer Frame Size Selection
and Miller-2/4/8) that vary in how many cycles they use per             One key factor in reader performance is accurate frame
symbol, with more cycles reducing the data rate but being            size selection. The number of slots in the frame is indicated
more robust to noise. By carefully selecting these parame-           in the Query message, and this controls the probability of
ters, manufacturers can tune their systems to balance data           tag collisions. It has been shown that the optimal frame
rate against robustness and spectrum usage.                          size is when the number of slots is equal to the number of
   RFID readers do not generally allow users to set PHY              tags [17], but estimating the number of tags in the popula-
parameters independently. Instead, they provide a small set          tion is non-trivial.
of preconfigured options which are statically configured at               While the Gen 2 specification gives an example algorithm
deployment. The Impinj reader provides 5 “modes”, with               for selecting the frame size, there has been significant work
the highest rate option using a 112 kbps downlink and a 640          targeted at improving this estimation [5, 10]. We set out
kbps FM0 encoded uplink, and the lowest rate using a 27              to determine how the Impinj reader chooses frame sizes to
kbps downlink and a 32 kbps Miller-8 encoded uplink.                 match the tag population. For this, we had the reader in-
   In our previous work [3], we showed how different PHY              ventory a set of tags placed 2 meters away that varied from
configurations impact MAC behavior and overall reader per-            1 to 64 tags.

ACM SIGCOMM Computer Communication Review                       46                                  Volume 40, Number 3, July 2010
                                                                        plete Gen 2 RFID spectrum, and reader transmissions are
     Tags Read per Slot                                                 decoded using software we developed using the GNU Radio
                          0.8                                           toolkit. By using a low-cost SDR platform and open-source
                                                                        software, we have built a system that is flexible and low cost,
                          0.6                                           but quite powerful for exploring Gen 2 systems. We evalu-
                                                                        ated the performance of our monitor and found that it was
                                                                        99% accurate when placed within 3 meters of the reader.
                          0.2                                           This is sufficient for our target scenario of monitoring de-
                                                                        ployed Gen 2 systems in situ.
                           0                                              To demonstrate the usefulness of our monitor, we studied
                                1   2   4     8    16    32   64        a commercial RFID reader. We presented details showing
                                        Number of Tags                  how the Gen 2 protocol is realized in practice, and also indi-
                                                                        cated avenues for further research. Specifically, we feel that
            Figure 5: Distribution of tag reads per slot                algorithms for PHY layer rate adaptation and cross-layer
                                                                        techniques that factor the capture effect into MAC behavior
   Immediately after powering up, the reader transmits a                are rich areas for further exploration. Our system software
Query that specifies only one slot. If no tags are present,              has released as an open-source project, and is intended as a
the reader power down for 2 milliseconds and tries again.               foundation to be used by other researchers.
The first Query is effectively just a check to see if any tags
are present. If at least one tag is present, the next Query
always specifies 16 slots. Beginning frames with no less than
                                                                        6. REFERENCES
                                                                         [1] Agilent Technologies. 89600 VSA RFID modulation
16 slots was suggested in [18], though this is shown to be                   analysis.
less than ideal when more than 27 tags are present.                      [2] S. Aroor and D. Deavours. Evaluation of the state of
   We also found that the reader does not generally iterate                  passive UHF RFID: An experimental approach. In IEEE
through all slots in the frame. If, for example, no tags reply               Systems, 2007.
                                                                         [3] M. Buettner and D. Wetherall. An empirical study of UHF
in the first five of the sixteen slots, the reader aborts the
                                                                             RFID performance. In MobiCom, 2008.
frame, as the empty slots indicate that the frame size is too            [4] EPCglobal. EPC radio-frequency identity protocols class-1
large. Estimating population size on a per slot basis, and                   generation-2 UHF RFID protocol for communications at
aborting frames when necessary, has been shown to increase                   860 MHz-960 MHz version 1.0.9. 2005.
Gen 2 performance [5].                                                   [5] C. Floerkemeier. Bayesian transmission strategy for framed
   Because tags randomly choose a slot in which to respond,                  ALOHA based RFID protocols. In IEEE RFID, 2007.
some slots will be empty, some slots will have only a single             [6] C. Floerkemeier and R. Pappu. Evaluation of RFIDSim - a
tag response, and some slots will have multiple, colliding,                  physical and logical layer RFID simulation engine. In IEEE
                                                                             RFID, 2008.
tag responses. When the number of slots in a frame matches
                                                                         [7] S. Hodges et al. Assessing and optimizing the range of UHF
the number of transmitters (the ideal case), the ratio of slots              RFID to enable real-world pervasive computing
with a single transmitter approaches e−1 (≈ 0.37) [17]. Con-                 applications. In Pervasive Computing. Springer-Verlag,
sequently, if the reader accurately selects the best frame size,             2007.
we would expect to see an average of 0.37 tags read per slot.            [8] Intermec Technology Inc. Using national instruments
   Figure 5 shows the distribution of the average number of                  software and hardware to develop and test RFID tags.
tags read per slot for different sized tag populations. We cal-     
culated this by comparing the total number of slots in each              [9] Y. Kawakita and J. Mitsugi. Anti-collision performance of
                                                                             gen2 air protocol in random error communication link. In
round to the number of slots where an ACK was transmit-
                                                                             SAINTW, 2006.
ted. We found that, in practice, the efficiency of the protocol           [10] M. Kodialam and T. Nandagopal. Fast and reliable
is much higher than e−1 . When reading 64 tags, the median                   estimation schemes in rfid systems. In MobiCom, 2006.
number of tags read per slot is > 0.5. This is due to the               [11] K. Koscher, A. Juels, V. Brajkovic, and T. Kohno. EPC
capture effect, where a strong signal is decoded if it collides               RFID tag security weaknesses and defenses: passport cards,
with a weaker signal.                                                        enhanced drivers licenses, and beyond. In CCS, 2009.
   Our results shows that capture can be a significant com-              [12] P. Nikitin and V. Rao. Performance limitations of passive
ponent in MAC performance and should be taken into ac-                       UHF RFID systems. In IEEE Antennas and Propagation
                                                                             Symposium, 2006.
count. However, the extent to which capture happens, and
                                                                        [13] RFID News. Portuguese book retailer rolls out item-level
the extent to which this affects protocol performance, has                    rfid deployment.
not been studied in depth. As a result, most frame size                 [14] RFID Update. Why metro’s item-level rfid deployment
selection algorithms seen in the literature do not explicitly                matters.
model the impact of the capture effect. Additionally, the up-            [15] L. G. Roberts. Aloha packet system with and without slots
link physical layer configuration will impact the prevalence                  and capture. SIGCOMM Comput. Commun. Rev., 1975.
of the capture effect, and consequently the efficiency of the              [16] A. P. Sample et al. Design of an rfid-based battery-free
MAC protocol. To the best of our knowledge, this type of                     programmable sensing platform. In IEEE Transactions on
cross layer relationship has not been explored.                              Instrumentation and Measurement, 2008.
                                                                        [17] F. Schoute. Dynamic frame length aloha. IEEE
                                                                             Transaction on Communications, 1983.
5.              SUMMARY                                                 [18] H. Vogt. Efficient object identification with passive RFID
  In this paper, we present a Gen 2 RFID monitoring plat-                    tags. Pervasive Computing, 2002.
form that provides deep visibility into the operation of RFID           [19] E. Welbourne et al. Longitudinal study of a building-scale
                                                                             RFID ecosystem. In MobiSys ’09, 2009.
systems. Our platform uses the USRP2 to capture the com-

ACM SIGCOMM Computer Communication Review                          47                                   Volume 40, Number 3, July 2010

To top